4 troubleshooting procedure, 4 troubleshooting procedure -41, Troubleshooting procedure – Panasonic 8000 User Manual
Page 88
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Nortel Secure Router 8000 Series
Troubleshooting - VAS__________
2 IPSec and IKE troubleshooting
2.5.4 Troubleshooting procedure
Step 1 Check whether two ends of the tunnel are reachable with no IPSec policy applied.
Use the undo ipsec policy command on both the ends of the IPSec tunnel.
On PC A, ping PC B.
A failed ping indicates a faulty link or route between PC A and PC B. For information about
removing the fault, see
Nor^tel Secure Router 8000 Series Troubleshooting - IP Routing
(NN46240-706).
If the ping succeeds, the fault may be related to IPSec. Continue with the following steps.
Step 2 Ensure that IPSec tunnel setup is not triggered by the communication party applying the
IPSec policy template.
Ping PC B from PC A. The IPSec template used by Router B specifies no policy rules, so
Router B can operate only as the negotiation responsor.
Continue with the following steps.
Step 3 Check that SAs are set up in Phase 1 and Phase 2.
See the troubleshooting procedure for “Troubleshooting ISAKMP SA.”
Continue with the following steps.
Step 4 Check that IKE peer configurations agree with the constraint conditions.
Check the following:
•
whether the negotiation in Phase 1 is in aggressive mode
•
whether the peer name is used as the local ID type
•
whether NAT is enabled on the IKE peer
Use the display ike peer name command.
<RouterA> display ike peer name routerb
IKE Peer : routerb
exchange mode: aggress ive on phase 1
pre-shared-key: nortel
proposal:
local id type: name
peer ip address: 202.38.162.1
peer name: routerb
nat traversal: enable
Use the preceding command on Router A and Router B to view the constraint conditions. If
the IKE peer configurations are correct, continue with the following steps.
Step 5 Check that IPSec proposals agree with the constraint conditions.
Check the following:
•
whether ESP is used in IPSec proposals
•
whether the encapsulation type is transport mode
Issue 01.01 (30 March 2009)
Nortel Networks Inc.
2-41